rttc
Runtime type-checking for JavaScript.
2
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
mikermcneilrachaelshaw
Keywords
type-checkingvalidationstatic-analysistyped-javascript
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:particlebanana | AI (email-domain): The author field uses '@particlebanana' as a social handle (Twitter/GitHub), not an email address. No actual email domain is at risk of hijacking here. | ai | |
| provenance | publisher-changed | AI (provenance): rachaelshaw is a named contributor in package.json and has a strong track record (753 approved). This is an internal Sails Company team transition, not a hostile takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): rachaelshaw is a listed contributor in package.json and a well-established publisher in the Sails ecosystem. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are all listed as contributors; this reflects an intentional org restructuring within The Sails Company, not a takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @sailshq/lodash is the Sails Company's own scoped lodash fork, a direct replacement for the lodash dep. Not a suspicious third-party injection. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is used to reconstruct a function from a pre-validated stringified function literal — a legitimate pattern in a runtime type-checking/hydration library. | ai |